Privacy Implications for COVID-19 Digital Contact Tracing

By Apac CIO Outlook | Thursday, December 10, 2020

Bluetooth-based contact tracing apps generally collect only a random Bluetooth identifier from a COVID-19 positive user who has input his or her diagnosis.

Fremont, CA: In order to contain the spread of Coronavirus, contact tracing has been a key tool. However, digital contact tracing has significant data privacy risks. Contact tracing means an effort by public health officials to find out individuals who have come in close contact with COVID-19 patients. Public health officials’ job is to inform these individuals that they were exposed to an infected patient and suggest them to monitor their symptoms and stay in quarantine for some time.

In response to the coronavirus pandemic, governments around the world have tried using digital contact tracing. This requires individuals to download an app on their smartphone to allow public health officials to track COVID positive patients’ contacts. At the same time, private sector companies are seeking ways to use digital technologies for contact tracing on employees as they return to the workplace.

Let us look at some privacy implications of contact tracing:

Transparency is Important

The success of many digital contact tracing initiatives taken by western governments depends on users’ eagerness to participate. Consumer trust is vital for adoption by a sufficient number of users to make contact tracing app effective. It is important that there is transparency in terms of the types of information an app will collect, how long it would store such information, as well as the third parties who will have access to the information. Government agencies and private entities providing contact tracing apps need to ensure that individuals receive adequate notice of their privacy as well as data security practices.

Bluetooth Data Linkage Problems

Bluetooth-based contact tracing apps generally collect only a random Bluetooth identifier from a COVID-19 positive user who has input his or her diagnosis. However, it might be possible for private companies or government agency to link metadata related to the infected user’s Bluetooth identifier, such as the user’s smartphone IP address, their identity and location.